Raising the Bar Beyond Privacy Compliance

Raising the Bar Beyond Privacy Compliance
Author: Guy Pearce, CGEIT, CDPSE
Date Published: 12 November 2020

In the context of privacy by default, privacy compliance is not nearly enough.

Compliance sets the minimum bar for privacy professionals, and not a very high bar at that. Indeed, in the context of privacy by default, compliance barely scratches the surface with respect to your fiduciary responsibilities as a privacy professional. For those who feel accountable to deliver more than just the bare legal minimum as privacy professionals and as responsible stewards of their customer/citizen data, please read on.

So, why would anyone realistically want to consider more than compliance when addressing their compliance obligations? The challenge begins with the fact that the law – and therefore our obligation to comply with it – is silent and will continue to remain silent on many matters related to privacy.

For example, the legal obligation underlying the current focus on cookie banners – driven largely by GDPR and thus a compliance requirement for any organization anywhere collecting data about natural persons in the European Union – can be quite mum on many things related to the cookie acceptance request that an individual is acquiescing to. The text and/or privacy policy may read that, by accepting the cookie request, the customer’s data may be processed in a way that is really quite unacceptable to the customer. However, the customer will have legally agreed to this unacceptable behavior by having clicked on “Accept.” Many would not know this given that so many don’t bother to read the implications of that one easy click.

In effect, the organization now has permission by means of that explicit consent to process and even sell your data in the same way they did before laws like the GDPR were promulgated, since the customer provided explicit consent to the organization to do so by having clicked on “Accept.” In effect, this means that the customer may suffer from a privacy illusion, thinking that a compliant organization is actively protecting their interests as defined by the law. However, all that has really changed is that the customer provided explicit consent for the organization to process the data in the same way it had before these laws were in effect and before consent was required.    

This problem is exacerbated by the fact that the absence of viable alternatives to the service being offered by the vendor in question means that there is often no viable choice but to have clicked “Accept,” which begs the question of whether the explicit consent provided really was freely given. The law, again, is silent on this matter.

My presentation at ISACA’s Privacy In Practice virtual conference on 8 December, “8 Future Privacy Governance Imperatives Boards Have a Duty to Perform,” helps highlight eight such areas privacy professionals – and indeed boards – should be focusing on in the interests of truly demonstrating their fiduciary responsibilities to their customers. The presentation specifically emphasizes why compliance is not nearly enough, given that the law does not necessarily serve the best interests of those it is assumed to protect.

Editor’s note: Find out more about ISACA’s new technical privacy certification, Certified Data Privacy Solutions Engineer (CDPSE).